Skip to main content
Guardian
NewYour AI skipped the security step.

This AI can hack any website.
Before hackers do.

Paste your URL. Guardian tries to break into your app the same way a real attacker would — and tells you exactly what to fix.

Run Guardian
10K+ apps protectedNo installResults in minutes
11
Agent complete
Guardian found 11 open doors in your app.
Critical
Anyone can make themselves admin.
Fix →
Critical
Your entire database is open to the internet.
Fix →
Warning
Stripe webhook isn't verifying signatures.
Fix →
All good
Login & auth handling look solid.
Passed
Your AI security agent. Always watching.
Lovablev0ReplitSupabaseFirebaseClaude
Lovablev0ReplitSupabaseFirebaseClaude
Lovablev0ReplitSupabaseFirebaseClaude
Lovablev0ReplitSupabaseFirebaseClaude
Happening right now

Your AI doesn't know what it got wrong.

Every founder whose app was breached thought the same thing you're thinking: probably not mine.

01Database key in the frontend
Matt S., Moltbook, January 2026

He found it in the browser console. Then he published it.

Matt built his app without reviewing a line of code. When it launched, the database key was sitting in the client-side JavaScript. A security researcher found it in minutes. No hacking, just looking. He extracted 35,000 user emails and 1.5 million private tokens. He messaged Matt at 11pm. By morning it was a published security report.

You haven't checked yours.

02Admin route with no auth
Sarah K., vibe-coded SaaS, November 2025

The route was ready. The lock was not.

Sarah asked Cursor to build an admin panel: user management, subscription controls, the works. It built it fast. She shipped. What Cursor didn't add was auth. The route sat unprotected for 49 days. A scanner found it, and in one afternoon someone deleted 12,000 user records, reset every subscription to the lowest plan, and exported the email list. Her last backup was three weeks old. She never recovered the data.

Your AI builds routes. It doesn't always lock them.

03Paywall accepting fake events
Indie founder, vibe-coded SaaS, 2025

Eight months of building. Half the MRR he thought.

He'd been building for eight months. MRR showed $4,200. Then a consultant pulled the logs. 47 of his Pro users had never paid. Someone had found a way to send a fake 'payment confirmed' event and the app upgraded them automatically. No card. No error. No alert. His real revenue was $2,100. He'd been building for unpaid users for months without knowing.

You don't know if your paywall is real.

swipe to see more

Wednesday morning. 340 unread emails. The first is from a user: their data showed up on a paste site. By noon it's a thread on Hacker News. By Thursday it's the first result when anyone searches your app's name. The data doesn't come back. Neither do the users who left that week. You didn't write the feature that caused it. Your AI did. The fix was two lines of code.

A real founder. A real overnight.
$87,500while he slept

Claude Code put his live Stripe key in the frontend JavaScript. Any visitor could read it. Attackers found it in hours. 175 customers charged $500 each while he slept.“I just assumed it knew what it was doing.”

The difference

Guardian finds it before anyone else does.

Paste your URL. The agent runs. Every hole above, checked and explained in plain English, with the exact fix your AI can apply.

Without Guardian

Ship. Hope. Pray.

You launch and cross your fingers. Problems arrive as customer complaints or bad news.

  • !
    You find out on Twitter.
    At 2am. From a stranger. Your app is trending. You have 74 unread DMs. You don't know what happened yet.
  • !
    You hire an audit.
    $3,000. Two weeks. A report in jargon you can't read. You still have to fix it yourself.
  • !
    You drop the error into Claude Code.
    It writes something. You ship it. You have no way to know if it actually closed the hole. Your users are still exposed.
With Guardian

Know. Fix. Ship.

Paste your URL and get a complete security report. Every vulnerability explained clearly, every fix ready to hand straight to your AI.

  • A complete report, not a jargon dump.
    Every issue explained clearly: what's broken, who could get in, and what it would cost you.
  • The exact fix, ready for your AI.
    One sentence per issue. Drop it into Cursor or Claude Code, accept the change. Fixed in 60 seconds.
  • Run it after every deploy.
    Two minutes. If something opened up, you know before your users do.
How it works

Three steps. No install.

If you can paste a URL, you can use Guardian. That's the entire setup.

Paste your URL.

The link to your live app. That's it. No tokens, no config file, no GitHub access needed.

https://my-saas.vercel.app

Guardian probes it like an attacker would.

Not a checklist. A security agent trained on thousands of AI-built apps, running thousands of attack-pattern checks. It knows what Claude Code, Codex, and Cursor forget because it has seen them forget the same things thousands of times. Time depends on what it finds.

Anyone can read your orders table
Your Stripe webhook accepts forged events
OpenAI key visible in browser
Login & password handling: solid

Paste the fix into your AI.

Every finding comes with a ready-made prompt. Drop it in Cursor, accept the diff, ship. Done in under a minute.

→ paste into CursorIn my Supabase project, the orders table lets anyone read it. Turn on row level security and add a policy so each person only sees their own orders.
Real makers

They found out. Before it cost them everything.

Real founders. Real vulnerabilities. These are the specific holes in specific apps, built exactly like yours. Every finding is the one we actually surfaced.

I shipped whatever Cursor told me and assumed it was fine. Guardian told me anyone could read my users' data. Twelve hours before my Product Hunt launch.

Markus K.
Markus K.
Indie maker, Berlin
Guardian surfaced 3 critical holes before launch

The fix is literally a sentence I paste into Claude. I don't need to understand the technical details. My AI does. Guardian just hands me the fix.

Priya D.
Priya D.
Solo founder, $4k MRR
Guardian surfaced 1 leaked key in her Git history

I stopped waking up at 3am worrying. Guardian watches for me. If anything opens up, I get a Slack. Genuine peace of mind.

Daniel R.
Daniel R.
Indie SaaS, $12k MRR
Guardian surfaced 2 issues caught from a new deploy
Pricing

Simple. No surprises.

Pick the coverage you need and cancel any time. Every plan gets the same quality of findings; higher tiers watch more sites and run deeper AI checks.

Pro

$69/ month
For your first product. Daily watch + weekly AI deep-dive.
  • 1 site
  • 4 AI scans / month
  • Extra scans available
  • JSON export
  • Email alerts
Get Pro

Business

Most popular
$149/ month
For your small portfolio. Daily watch + weekly AI deep-dive on all 5 sites.
  • 5 sites
  • 12 AI scans / month
  • Extra scans available
  • JSON export
  • Email alerts
Get Business

Scale

$299/ month
For agencies and teams. Continuous watch + weekly AI deep-dive on all 10 sites.
  • 10 sites
  • 24 AI scans / month
  • Extra scans available
  • JSON export
  • Email alerts
Get Scale
FAQ

Honest answers.

If yours isn't here, email support@tryguardian.dev. A real human replies fast.

No. If you can paste a URL, you can use Guardian. We write findings in normal English ("anyone can read your users' orders"), and the fix is a sentence you paste into your AI. Your AI handles the rest.
Live. While your app is exposed.

Find out before they do.

Your app is live right now. So are the scripts scanning it.

Paste your URL. The agent runs. A few minutes later you know exactly what an attacker would find — in plain English, with the fix included. Every hour you wait, hacker AI agents are probing your app.

Start audit
Paid plansNo installEvery finding includes the fix